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Challenge 



• SDC 2009 - Challenged the Network 
Analysis community to automate the 
detection of Network Operations 
Centres 
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Phase 1 : Intelligent Router Configuration File Parsing 



• Routers have numerous services running on them that help 
identify the NOC IP ranges: 

- SSH 

- TELNET/VTY 

- SNMP 

- SYSLOG 

- DNS 

- TACACS 

- RADIUS 

• Access to these services tends to be locked down by the use of 
Access Control Lists (ACLs) 

• Configuration files provide details of how services are 
configured. 
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NOCTURNAL SURGE 





GCHQ response to challenge. 




Early Prototype that looks at only: 




- ACLs for SSH/TELNET 


* 


- ACLs for VTY 


NOCTURNAL SURGE 




aka Find my NOC 
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NOCTURNAL SURGE: :HomePage - Mozilla Firefox 

Fite £* View Hfctwy eooLmsrki; Toots Help 
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gdhq-wefo research sigdev . search task-tgting Analysis j tools PROGRAMMES press Q Discover ^ Gforge-UK , j Gforge [2] GTAC TaskiigDB Ai OpsTiractoer ) RTC ^ RT (2) NacShatk. 

NOCTURNAL SURG£::KomePage y 6 FIVE ALIVE B FIVE ALIVE FKE IIVl AS Search 
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Recent Updates: 

2011G11S - v0.2 

- Added Server Information from TIDAL SURGE ’Services Used' Data for Projects and Global DR 

- Added collapsible sections for above where number of Servers > 5 

- Changed colour scheme to hi -light unrecognised ACL bitmasks that do not convert to CIDR in 



vm 1 



Dons 



nin*; _ «n i 



and CDR blocks in YELLOW 




® NOCTURNAL SURGE A iv.ozilla Fiiefo* Q 

File Edit View History Bookmarks lools Heb 

£}»- c x & & - [■!% 

L_ gchq-web . _ research |_J sigdev __ search I i task-toting _ _ Analysis j tods j j PROGRAMMES press lZ Discover Q Gforge-UK , J Gfbrge Q GTAC Tasking DB f\ OpsT-acker RTC ^ RT Q NacShack Investor I NACICllNERCs . 1112-FTE Q CHAIN GUARD 

J ^ NOCTURNAL 5URGE::A< y Q FIVE ALIVE \Z\ | fl FIVE ALIVE j~| J FKB IFv4 A5 Search ~| ■* | 
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NETWORK CBPdTlRe 

NOCTURNAL 

SURGE 

aka Find my NOC in AS | *| 

<— Back to Query Page 

- Summary Results 



Occurences Source Network Source Mask AULNair.e Servers I GLOBAL 5 URGE LF Queries 


































H? MOCTURML SURGE: :HomePage - Mozilla Firefox 

Fite £* View Hfctwy eoofcmarki; Toots Help 
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231 



fkb 



gdhq-wefo .research . sigdev ._ . search . task-tgting Analysis tools ._ PROGRAMMES j press j^] Discover 0 Gforge-UK J] Gforge | ] Gt AC Tasting DB f'l OpsTiratker A RTC ^ RT j NacShack. Investor . NAClQIlNERCs . 1L12-FTE CHAIN GUARD 

m FKB IPv4 AS Search 
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|_ NOCTURNAL SURLit::homeF age @ 0 FIVE ALIVE 



n/v 



B five alive 
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Corp Directory "Change Password" Login 




NOCTURNAL SURGE 



aka Find my NOC 




- Added Server Information from TIDAL SURGE 'Services Used' Data for Projects and Global DR 

- Added collapsible sections for above where number of Servers > 5 

- Changed colour scheme to hi -light unrecognised ACL bitmasks that do not convert to CEDE in and QDR blocks in YELLOW 
oni mine «n i 










File Edit View History Bookmark Tools Help 
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- Summary Results 
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GCHQ / CSEC NAC Joint tradecraft development 



• During March 201 1 GCHQ Analysts visited CSEC to look at the 
using PENTAHO for tradecraft modelling working with CSEC 
NAC and CSEC/H3 software developers to see if could model 
NOCTURNAL SURGE in PENTAHO and then implement in 
OLYMPIA. 

• Only possible to attempt because: 

- GCHQ NAC use PENTAHO 

- CSEC NAC/H3 use PENTAHO 

- CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database 
Schema (DSD also have this..) 

• GCHQ approach based on AS 

• CSEC approach based on Country 
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Pentaho - NOC Auto Detection 






— 



u'-. . 



Input country dign 



Re m ove p rival e I P addresses Dedupe exact ran g e, method 



Dummy (do nothing) 



4 & 




IZZI *+■ 
X 








cm w 






i — i j* 
X 


HD 






¥ 
i — i 



Trim whitespace from descriptions Select values Calculate number of IP addresses in range Filter <= /1 6 






-I 



-a- 



J i' - — 



tummy (do nothing) 3 Filter on input country Select values A Merge Join wfth geo data Sort on 1st ip Convert decimal IPto String Dedupe 



s 




& i 






-eO- 



on first ip 






mmy (do nothing) A Group intersecting IP ranges Sort on|l st ip 2 Country digraph to lowercase 2 Enrich with Geo 



Output raw results 



Count by groupH^ Sort on 



^roup id Merge Join groups with company info Sort by group cbunt 




Merge Join group ids with count Sort by first ip 



Output NOC rangesfor input country, sorted by confidence 
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=d to VTY lines 



7 



P + Subnet Mask 
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Phase 2: Intelligent use of Metadata 



• We do not always get full configuration files to parse. 

• Services between routers and NOCs run on IP/TCP/UDP 

• We do create 5-TUPLE metadata from our collection 

- GCHQ have prototype database - 5-Alive 

- CSEC have database - HYPERION 
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SNMP Protocol 



SNMP Manager SNMP Agent 





get -request 






^ get -response 


UDP 161 




get -next-request 






get -response 


UDP 161 










Set-request 








UDP 161 




get -response 




UDP 162 


trap 
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SNMP Protocol in 5-Alive 



I Diarised Events Activity Graphs j 
Options 

? Help jP Filter c? Export to CSV 




161 

161 

161 

161 



161 


itu 

□ C 


161 







161 



us 

US 

LU 

US 

US 

US 



Unknown 

Unknown 

Unknown 

Unknown 

Unknown 

Unknown 
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Further drill down on activity for identified IP 



20 




17 udp DNS (Domain Name System) 63226 53 2011-05-12 07:30:00 2011-05-12 08:00:00 


21 




17 udp Trivial File Transfer Protocol TFTP 52096 69 ;2011-05-13 10:00:00 2011-05-13 10:30:00 


22 




17 


udp 




Trivial File Transfer Protocol TFTP 


58912 


69 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 


23 




17 


udp 




Trivial File Transfer Protocol TFTP 


53438 


69 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 


24 




17 


udp 




Network Time Protocol NTP 


52096 


123 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 


25 




17 


udp 




Network Time Protocol NTP 


58912 


123 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 
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17 


udp 




Network Time Protocol NTP 


53438 


123 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 
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17 


udp 




NetBIOS NetBIOS Datagram Service 


53438 


138 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 
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17 


udp 




NetBIOS NetBIOS Datagram Service 


58912 


138 


2011-05-13 


10:15:00 


2011-05-13 


10:45:00 


29 




17 


udp 




NetBIOS NetBIOS Datagram Service 


52096 


138 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 


30 




17 


udp 




Simple Network Management Protocol SNMP 


52096 


161 


2011-05-13 


10:00:00 


2011-05-13 


10:30:00 
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Phase 3: Intelligent use of TELNET traffic 



• Again we do not always get full configuration files. Phase 1 is 
based on full (or as near to full) configuration files 

• GCHQ NAC collect TELNET Sessions into TERMINAL SURGE 

- Collection based on TCP Port 23 (TELNET) 

- Other protocols use TCP Port 23 (YMSG) 

• Interaction with Routers over TCP Port 23 maybe nefarious: 

- Scanning 

- Password guessing 

• Need to separate legitimate use from nefarious activity 

• Look for signs of legitimate use. 

- Successful login 

- Follow on commands 
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From TCP Port 23 (Echo) 
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To TCP Port 23 



... __ ... _ - '■v 

Untitled - Notepad [sJalB 

File Edit Format View Help 



| pu6TXXV 

terminal width 512 

show ip route isis 

show controller El 0/1/0 brief 

show interfaces description 

show ip route static 

show interfaces | include Tunnel 

show ipv6 route static 

show controller El 0/1/0 | inc Description: 
show ipv6 route eigrp 
show bfd neighbors 
show ip route rip 

show ipv6 neighbors 

show ip arp 

show ip route local 

show interface Fast Ether net 0/1 | inc Description: 
show ip route bgp 
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Intelligent analysis of TELNET traffic 



The fact that login was successful for both examples means the 
following: 

- From TCP Port 23 

• To IP address is Network Management Terminal (in the 
NOC ?) 

- To TCP Port 23 

• From IP address is Network Management Terminal (in 
the NOC ?) 
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Phase 4: Bulk Port Scanning 



• We know the key services/servers running in the NOC 

• Utilise HACIENDA, GCHQ’s bulk port scanning capability to 
identify what IPs have these service ports open - additional 
logic to build up confidence required. 
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Fusion of sources 



• Aim is to bring all sources that help identify NOC IP ranges 
together with associated confidence. 

• Different techniques provide different results due to the nature of 
passive access (international v’s in-country for instance) 

• Different techniques have different levels of reliability - therefore 
looking to develop aggregation with overlay of smart 
intelligence. 

• Solution can work on not just ISP 
NOCs but also Mobile OMCs. 
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And then. ...enabling CNE on NOCs 



• We now have IP ranges - need selectors of NOC Staff to 
enable QUANTUM INSERT attack against them. 

• Use of GCHQ TDI capability to identify selectors coming out of 
IP ranges and/or identification of proxy/NAT within NOC range. 
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NOC IP range search in MUTANT BROTH 



MUTANT BROTH 



Identifier Search 



IP Address Search 



Password Search 



IP Preset Searsh 



Legal Context 

This is a powerful technique that allows you to pull back, presence events for an IP network , 

Yon must moke sure that your HR* juibficabon (Jts-agon) clearly explains why you are querying on an IP network, as you are morn likely to ratrieva the communications of innocent individuals as well as tan 
Your queries will be logged for audit, 

You should use Trees route or DNS look up first so that only IP prefixes registered or associated with the target networks are queried, 

If .ou suspect that the IP prefix is dynamic, you must either combrne this search with another filter eg an HHFP or limit the query length to 60 minutes, 

If after running the query., it is clear that the IP prefix is dynamic, you should not look at the results as they are unlikely to relate to your target, 

Search for IP address prefixe; 

Enter the set IP address prefixes. 

The IP address range must be specified as: < dotted decimal IP >/< prefix length > 

Example: 172,16,17.0/23 

192 , 163 . 4.5 

192.168.123.0/17 

Prefix lengths of less then 16 bits will be ignored, 

Absent lengths are assumed to be 32 bits. 

Optionally enter the HHFP or the time period start and search length in minutes, 




MIRANDA 20135 



JIC 2 



Search length (minutes) 20000 



Purpose NS 



Reason Belgacom resea ch 



Execute 
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Source IP 



SO. 84. 19.9 
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NOC IP range - Target identifiers for QUANTUM INSERT 



User -Ager 






Non 


Source 

IP'.HHFP 




Identifier 

Type 


Mozilla/5.0 (X 
Mozilla/5.0 (X 


Date 


Time 


Routine 

Source 


Source IP Geo 


17/05/1 1 


00:02:54 




80.84,19,9:d23bad41 


50.83; 4,33; BRUSSELS; BE; 7LLM 


Vahoo-B-Cookie 


Mozilla/5.0 (X 


Mozilla/5.0 (X 


17/05/1 1 


00:02:59 




80.84.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LLM 


Vahoo-B-Cookie 


Mozilla/4.0 (ct 














Mozilla/5.0 (X 


17/05/1 1 


00:02:59 




30.34.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Vahoo-B-Cookie 


Mozilla/5.0 (Vi 














Mozilla/5.0 (X 


17/05/1 1 


00:05:37 




30.34.1 9.9: 5eec974d 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 


Mozilla/5.0 












Cookie 


Mozilla/5.0 (X 
Mozilla/5.0 (X 
Mozilla/5.0 (V; 


17/05/1 1 


00: 16: IS 




80.84.19.9:7d9134a5 


50.83; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00: 17:53 




30.34.1 9.9: 77337b02 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:23:35 




30.34.1 9.9: e4a90e3f 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:23:05 




80.84.19.9:7d9134a5 


50.83; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:37:34 




30.34.19.9:b36315d3 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:39:55 




30.34.1 9. 9:fl2397e0 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 

Cookie 




17/05/1 1 


00:47:56 




S0.S4.19.9:477c4721 


50.83; 4.33; BRUSSELS; BE; 7LHV 


Coogle-PREFID- 














Cookie 




17/05/1 1 


00:54:33 




30.34.1 9.9: d23bad41 


50.33; 4.33; BRUSSELS; BE; 7LHV 


Google-PREFID- 



Identifier 

Value 



Event Count (%) 
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Questions ? 
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